CN104318161A - Virus detection method and device for Android samples - Google Patents
Virus detection method and device for Android samples Download PDFInfo
- Publication number
- CN104318161A CN104318161A CN201410659234.7A CN201410659234A CN104318161A CN 104318161 A CN104318161 A CN 104318161A CN 201410659234 A CN201410659234 A CN 201410659234A CN 104318161 A CN104318161 A CN 104318161A
- Authority
- CN
- China
- Prior art keywords
- virus
- engine
- file
- killing
- program body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention discloses a virus detection method and a virus detection device for Android samples. The virus detection method includes: analyzing a dex file to obtain code information which includes packages, classes and method information; locating a program body, corresponding to the code information, in the dex file, and obtaining an opcode sequence corresponding to the program body; matching the opcode sequence with the virus information, and judging whether the opcode sequence includes viruses. According to the virus detection method and a virus detection device for the Android samples, information such as packages, classes and methods in the dev file are extracted, the opcode sequence is obtained by codes and matched with virus features to determine whether the file is infected with the viruses, locating, detecting and killing at the code level can be performed, detection omission of the viruses is avoided, efficiency for detecting and killing the viruses can be improved, detecting and killing of the viruses are performed by a plurality of engines, expansibility is very strong, and speed for detecting and killing the viruses is high.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of method for detecting virus and device of Android sample.
Background technology
Along with the Informatization Development of society, terminal (comprising the plurality of devices such as computer, mobile phone) is more and more important in people's life.People rely on terminal more and more and preserve personal information, and such as, various account information, private chat record be the information such as some picture photos even.Therefore, if terminal system suffers the threat of malicious file (as malice network address or computer virus etc.), easily cause the leakage of personal information, incalculable damage is caused to user.In the prior art, using signature scan to carry out Virus Sample identification is the technology relatively commonly used, and signature scan refers to the method adopting the virus characteristic extracted in advance to scan unknown sample and judge.The extraction of feature is after being defined as virus by manual analysis or automatic analysis identification, the scale-of-two extract Virus Sample or further feature.During virus investigation, anti-viral software uses the feature in its virus base to scan unknown file successively, if the success of a certain characteristic matching, then represent the virus of this file representated by this feature, if all features are not all mated, then thinking that this file is not virus, is normal file.At present, antivirus technique for common android mainly carries out killing based on the character string of dex file (dalvik virtual machine executive routine), the character string feature of extraction is mated with the feature in virus base, but Android is viral, such as trojan horse, the character string that viral code quotes (in dex file) can be revised easily, thus reach object free to kill.
Summary of the invention
In view of this, the technical matters that the present invention will solve is to provide a kind of method for detecting virus of Android sample, can carry out the Virus localization of code level.
A method for detecting virus for Android sample, wherein: resolve the code information of dex file acquisition; Described code information comprises: bag, class, method information; Program body corresponding with described code information in the dex file of location, and obtain the opcode sequence corresponding with described program body; Described opcode sequence is mated with Virus Info, judges whether described opcode sequence comprises virus.
According to one embodiment of present invention, further, the positional information of acquisition methods name and the program body corresponding with method name from the dex file header APK installation kit; Navigate to this program body according to the positional information of described program body, and dis-assembling is carried out to the method instruction sequence in described program body, obtain described opcode sequence.
According to one embodiment of present invention, further, from the method list dex file header acquisition methods name and enter corresponding with method name identify, absolute offset value; According to the program body describedly entering mark, absolute offset value navigates to the method, and drive dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtain described opcode sequence.
According to one embodiment of present invention, further, drive multiple antivirus engine to combine and carry out Viral diagnosis; Wherein, described opcode sequence is mated with the record in the virus base file of described multiple antivirus engine, if the match is successful, judge that described opcode sequence comprises virus; Described multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine.
According to one embodiment of present invention, further, class name is obtained from the class list of file names dex file header, and drive AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine or rule by described class name by Viral diagnosis script, if the match is successful, judge that this type of is virus.
According to one embodiment of present invention, further, when AVM engine judges that described opcode sequence comprises virus, then carry out warning information report and carry out virus killing operation, after execution virus killing successful operation, Virus Info is added in virus base file, and killing result is synchronized in other antivirus engine.
According to one embodiment of present invention, further, described antivirus engine comprises: service end and client; Described service end is by carrying out Viral diagnosis by the record matching in described opcode sequence and virus base file; Viral diagnosis result is issued to described client by described service end, and issues recovery scenario; Described recovery scenario comprises: file type, the checking and killing method corresponding with file type.
The technical matters that the present invention will solve is to provide a kind of Viral diagnosis device of Android sample, can carry out the Virus localization of code level.
A Viral diagnosis device for Android sample, comprising: code analysis unit, for resolving the code information of dex file acquisition; Described code information comprises: bag, class, method information; Instruction sequence acquiring unit, for locating program body corresponding with code information in dex file, and obtains the opcode sequence corresponding with described program body; Checking and killing virus unit, for described opcode sequence being mated with Virus Info, judges whether described opcode sequence comprises virus.
According to one embodiment of present invention, further, described code analysis unit, also for the positional information of acquisition methods name and the program body corresponding with method name from the dex file header in APK installation kit; Described instruction sequence acquiring unit, also for navigating to this program body according to the positional information of described program body, and carrying out dis-assembling to the method instruction sequence in described program body, obtaining described opcode sequence.
According to one embodiment of present invention, further, described code analysis unit, also for acquisition methods name from the method list in dex file header, and enter corresponding with method name identifies, absolute offset value; Described instruction sequence acquiring unit, also for the program body entering mark described in basis, absolute offset value navigates to the method, and drive dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtain described opcode sequence.
According to one embodiment of present invention, further, described checking and killing virus unit, also carry out Viral diagnosis for driving multiple antivirus engine to combine, described opcode sequence is mated with the record in the virus base file of described multiple antivirus engine, if the match is successful, judges that described opcode sequence comprises virus; Described multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine.
According to one embodiment of present invention, further, described code analysis unit, also for obtaining class name from the class list of file names in dex file header; Described checking and killing virus unit, also for driving AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine by described class name by Viral diagnosis script, if the match is successful, judges that this type of is virus.
According to one embodiment of present invention, further, described checking and killing virus unit, time also for judging that described opcode sequence comprises virus when AVM engine, then carry out warning information report and carry out virus killing operation, after execution virus killing successful operation, Virus Info is added in virus base file.
The method for detecting virus of Android sample of the present invention and device, extract the information such as bag, class, method in dev file, carry out mating by Code obtaining opcode sequence and with virus characteristic and determine whether to infect virus, the location killing of code level can be carried out, avoid viral under-enumeration phenomenon occurs, can improve and look into viricidal efficiency, by multiple engine carry out virus killing, there is very strong extendability and detect and virus killing speed fast.
Description of the invention provides in order to example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is in order to principle of the present invention and practical application are better described, and enables those of ordinary skill in the art understand the present invention thus design the various embodiments with various amendment being suitable for special-purpose.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of an embodiment of method for detecting virus according to Android sample of the present invention;
Fig. 2 A is the viral record cell schematic diagram of AVE engine, and Fig. 2 B is the schematic diagram of the executive mode of AVE engine, and Fig. 2 C is the schematic diagram of compiler information as file characteristic that executable file selected by AVE engine, and Fig. 2 D is the schematic diagram that AVE engine performs;
Fig. 3 is the schematic diagram of an embodiment of Viral diagnosis device according to Android sample of the present invention.
Embodiment
With reference to the accompanying drawings the present invention is described more fully, exemplary embodiment of the present invention is wherein described.Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiments of the invention can be applied to computer system/server, and it can operate with other universal or special computing system environment numerous or together with configuring.The example of the well-known computing system being suitable for using together with computer system/server, environment and/or configuration includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, little type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is performed by the remote processing devices by communication network links.In distributed cloud computing environment, program module can be positioned at and comprise on the Local or Remote computing system storage medium of memory device.
Fig. 1 is the process flow diagram of an embodiment of method for detecting virus according to Android sample of the present invention, as shown in Figure 1:
Step 101, resolve the code information of dex file acquisition, code information comprises the information such as bag, class, method of java program.
Step 102, program body corresponding with code information in the dex file of location, and obtain the opcode sequence corresponding with program body.
Step 103, mates opcode sequence with Virus Info, judges whether opcode sequence comprises virus.
The method for detecting virus of Android sample of the present invention, can carry out the location killing of code level, avoids viral under-enumeration phenomenon occurs, and, can improve and look into viricidal efficiency.
Android installation kit (APK file) is generally downloaded by Android application market, is installed on mobile phone, also can be installed from PC by the mode of the data line interfaces such as USB data line or Wireless Data Transmission.Virus on Android, wooden horse and other Malwares want the mobile phone entering user, also must be packaged into the form of APK.Based on this point, antivirus engine just the target tightening of killing to in the scanning of APK file, thus can improve the efficiency of scanning greatly.Which information in Android installation kit (APK file) as the emphasis of scanning, can present application has been analysis for this problem, specific as follows:
1) bag name
Android operation system is managed the APK that each is installed by the bag name (package name) of APK." bag name " stems from the concept of the package of Java, and according to the name style of the package of Java, the bag name of such as certain Android installation kit is com.qihoo360.mobilesafe.Android system requires that a unique bag name is stated in each application.Malware under Android platform also needs statement bag name, and therefore, bag name just can as the key character identifying Malware.
2) digital signature
For the object of security, android system requires that each APK will comprise digital signature (digital signature).Android system can check that when installing APK file whether the digital signature of the inner each file of APK is consistent with the digital signature that it presets, if inconsistent, or there is no digital signature, then think that file is tampered, refuse the installation and operation of this APK.Malware under Android platform is no exception, so the digital signature of APK file also can as the key character identifying Malware.
3) access information of each module listed in AndroidManifest.xml
AndroidManifest.xml is each APK file necessary global description file, and the inside lists in Android installation kit the access information of each module applied.In android system, the module only listed in AndroidManifest.xml, can by system call.Wooden horse under Android platform, often disguise oneself as normal application or deceive users installation of playing, a lot of wooden horse is wherein had to colonize in an application normally or game exactly, when user's bootup window, look it is original software or game, but the wooden horse module colonized in wherein was just activated on suitable opportunity, thus infect the mobile phone of user.And because android system requires all modules all will to list in AndroidManifest.xml, this just improves important clue for finding parasitic wooden horse.Therefore, the information of each module listed in AndroidManifest.xml is also the key character identifying Malware.
4) Dex file and ELF file
Android application is normally developed with Java language, it becomes binary bytecode (byte code) with after the compiling of Android developing instrument, these bytecodes are packaged into classes.dex file, explain execution by the Dalvik virtual machine of Android platform.In order to call android system function, android system provides a set of running environment (Android Framework), and each function of Android application call system is all that the storehouse by calling Android Framework realizes.
On the other hand, android system also support application program directly run by JNI or native executable.What now application performed is the binary machine code directly run on CPU, does not need to explain through virtual machine, directly can call Android storehouse such as libc, WebKit, SQLite, OpenGL/ES etc. and carry out each function of calling system.If Android application will be run by JNI or native executable, become ELF file layout with regard to needing the code compilation that will perform.ELF is the abbreviation of Executable and Linkable Format, is the file layout of executable program, shared library in Android/Linux operating system.
Malware on Android wants to run in android system, also will follow above-mentioned framework specification.Therefore, in the process identifying Malware, corresponding feature can be extracted from Dex file (i.e. byte code files) and ELF file respectively.
In addition, the information such as MD5 value of each file under the version number of Android installation kit, Android installation kit catalogue, also can as the key character identifying Malware.Wherein, above-mentioned Malware comprises virus, wooden horse and other Malwares.
In android system, dex file is can the direct file of load operating in Dalvik virtual machine.Dalvik virtual machine is the virtual machine of Android program, is the operation basis of java applet in Android.Its instruction set, based on register framework, performs its distinctive file layout---and dex bytecode is to complete the critical functions such as Object Life Cycle management, stack management, thread management, security exception management, garbage reclamation.Each Android is applied in bottom can a corresponding independently Dalvik virtual machine instance, and it is a kind of instruction sequence that its code is performed opcode or op-code under the explanation of virtual machine, is the most base unit of program execution.
The file header of Dex (Dalvik VM Dex File Format) comprises the initial of DEX file and some simple header check and the skew with other structures, and comprise multiple table at the file header of Dex, such as, string table (String Table), this table is stored in length and the side-play amount, variable name etc. of the character string constant of DEX file, the name of class and each character string; Class list (Class List), records quoting of all classes in a list; Class list of file names (Class Definition Table), the parameter of this table record comprises: offset address of class name, method etc.; Method table (Method Table), the parameter of this table record comprises belonging to which class, method name etc.; Method list (Method List), the parameter of this table record comprises: method index, enter mark, offset address etc.
From the dex file header APK installation kit, the positional information of acquisition methods name and the program body corresponding with method name, navigates to this program body according to the positional information of program body, and carries out dis-assembling to the method instruction sequence in program body, obtains opcode sequence.The all methods in dex file can be obtained from method table, method list, and enter mark and the parameter such as offset address according to each method, navigate to concrete program body, be specially: from the method list dex file header acquisition methods name and enter corresponding with method name identify, absolute offset value; According to the program body entering mark, absolute offset value navigates to the method, and drive dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtain opcode sequence.
The method for detecting virus of Android sample of the present invention, can carry out Viral diagnosis by multiple antivirus engine, drives multiple antivirus engine to combine and carries out Viral diagnosis; Opcode sequence mated with the record in the virus base file of multiple antivirus engine, if the match is successful, judge that opcode sequence comprises virus, multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine etc.
Such as, virus can be detected by AVM engine killing viral code itself, first resolve the dex file in APK installation kit, i.e. dalvik virtual machine executive routine, obtain the relevant information such as bag, class, method in dex file.Can be navigated to accordingly by bag, class, method, compile after java file in program body, this program body is made up of dalvik virtual machine instruction sequence.By dalvik virtual machine instructions dis-assembling engine, dis-assembling operation is carried out to method instruction sequence, obtain dalvik virtual machine instructions opcode sequence, mate for this sequence, to determine whether trojan horse.
According to one embodiment of present invention, drive AVM engine opcode sequence to be mated with the record in the virus base file of AVE engine by Viral diagnosis script, if the match is successful, judge that opcode sequence comprises virus.Such as, have recorded the feature of various virus in the virus base file of AVE engine, comprise trojan horse, worm-type virus etc.The feature of opcode sequence with various virus is mated, judges whether that there is virus, and the type of virus.
According to one embodiment of present invention, look into viricidal rule and virus characteristic can arrange multiple, can arrange according to concrete killing virus demand.Such as, can be detected by the class name of known viruse, such as, known viral category-A etc., from the class list of file names dex file header, obtain class name, and drive AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine or rule by class name by Viral diagnosis script, this class name eigenwert is the known viral class name stored in virus base library, if the match is successful, judge that this type of is virus, and killing result is synchronized in other antivirus engine.
Antivirus engine can comprise: service end and client, and such as, cloud killing engine etc. comprises server end killing instrument and client killing instrument.Service end is by carrying out Viral diagnosis by the record matching in opcode sequence and virus base file, Viral diagnosis result is issued to client, and recovery scenario is provided, recovery scenario comprises: file type, checking and killing method corresponding with file type etc., and client can carry out killing virus according to recovery scenario.Client can be arranged on mobile phone, PC, PAD etc., by the client killing engine on mobile phone terminal etc., or the instrument such as application distribution platform on mobile phone terminal etc., for user provides reliable mobile Internet security service.
When AVM engine judges that opcode sequence comprises virus, then carry out warning information report and carry out virus killing operation, after execution virus killing successful operation, Virus Info is added in virus base file, the Virus Info added comprises: the method name occurring virus, and the new class name inheriting viral class name etc.
By said method, the present invention is in conjunction with multiple antivirus engine, and in the process of concrete Viral diagnosis, can complete the synchronous of server end and client, the embodiment of the present application lists safe, dangerous, careful and wooden horse four level of securitys.Wherein, various level of security is defined as follows:
Safety: this application is an application normally, without any the behavior threatening user mobile phone safety;
Dangerous: this application exists security risk, likely this application inherently Malware; Also likely this application was the normal software that regular company issues originally, but because there are security breaches, caused the privacy of user, mobile phone safe is on the hazard;
Careful: this application is an application normally, but there are some problems, such as, user can be allowed to be deducted fees because of carelessness, or have disagreeableness advertisement to be complained; After this kind of application of discovery, the careful use of user can be pointed out and inform the behavior that this application is possible, but deciding whether remove this application in its sole discretion by user;
Wooden horse: this application is virus, wooden horse or other Malwares, herein in order to simply be referred to as wooden horse, but does not represent that this application is only wooden horse.
So, when Servers installed identifies safely storehouse, can using the Android installation kit under safety, danger, careful and wooden horse four ranks all as sample Android installation kit, thus the feature record obtained by the single feature in sample or Feature Combination can correspond to a kind of level of security and the information such as relevant behavior and description respectively.
The Viral diagnosis script of AVM engine adopts AVScript script, and AVScript script is the script of a kind x86 assembly instruction, and the statement of script is made up of different functional based method.Functional based method is divided into detection method and the large class of virus method two.Detection method is mainly to detect virus, and virus method then can operate the file confirming as virus, to reach the target deleting or remove viral wooden horse.
The detection method of AVM engine is divided into two classes: basic skills and extended method.Basic skills comprises: location (locate), coupling (match), control (control), variable (value), computing (operate) etc.Location (locate): location is separated with coupling by AVScript script, the quantity of the reduction IO of passable effect, improves the accuracy detected.AVM engine can navigate to concrete bag, class, method, after the successful execution of location, and meeting restoring to normal position address result on AVE running stack.Use for coupling and other method.
Coupling (match): AVScript script provides the matching process based on positioning result, coupling target is divided into again scale-of-two to mate and mates with opcode, and matching process supports wild symbol and floating search.Control (control): AVScript script provides the similar x86 control method collected.Control method is divided into two large classes, and a class is jump method, and another kind of is return method.
Jump method can revise the current execution sequence of AVE engine, jumps to the method for specifying and starts to perform.Return method can terminate detection (virus killing) process of current AVE engine immediately, and can show appointment and return results as killing target or non-killing target.
Variable (value): because AVE engine provides similar register and variable, so AVScript script provides display to arrange the variable method of register and variable.AVScript provides three kinds of variable methods: constant variable method, reference to variable method, loading variable method.
Computing (operate): AVScript script provides the similar x86 operational method collected.Comprise add, subtract, multiplication and division, logical and or, various displacement, compare operation.Operand is stack variable and the register of AVScript script.
AvScript script also provides a large amount of extended methods, with convenient, provide more Detection Information accurately.Such as: simulation jump method, the method simulation CPU resolves call/jmp/jcc/loop instruction, the destination address of return jump.Instruction analysis method: the method analyzes the instruction of assigned address, link order: the information etc. such as opcode, operand, instruction length.
It is virus document that AVM engine confirms as file destination by Viral diagnosis script, then can call virus method and kill virus to virus document.The virus method of AVM engine is mainly divided into two classes: a class is for file inherently viral wooden horse, and virus killing only needs directly to delete file destination; Another kind of be for infection type virus (its can by the virion code insertion of oneself in normal executable file, and first acquire the right of control before runtime), remove by combinationally using virus method.
AVScript script provides following general checking and killing method: directly deleted file: directly delete file destination; Inlet porting dot address: the entrance that executable file can be revised; Padding data block: to the region write data of specifying; Copies data block: data copy can be carried out in file destination; Delete PE file section: for the file structure of PE, the file section that deletion is specified also does corresponding adjustment to PE form; Deleted file header data: delete the data of specifying size from head.Deleted file tail data: delete the data of specifying size from afterbody, and revise the file structure of PE.File size is set: the size that directly can arrange file.
The AVScript script of AVM engine with a checking and killing virus record (record) for unit.Each record structure as shown in Figure 2 A, wherein: virus info: the information such as the classification of the virus that Virus Info block provides this stylus point right, operation platform, name, mutation number; Scan block: scanning block, can only use the virus investigation method of AVScript script; Kill block: virus killing block, both can use the virus method of AVScript script, also can use virus investigation method.Article one, record must have virus info and scan block, but can omit kill block, and now record acquiescence virus method is deleted file.
The AVScript script AVScript of AVM engine itself is write by XML language, is compiled into intermediate file after having write by AVScript compiler, i.e. the virus base file of AVE engine, then to be made an explanation execution by AVE engine.Virus base file itself can preserve many records, has again many methods in every bar record.Therefore, AVScript execution technique is divided into: execution technique and execution technique in record between record.
Execution technique between record: for AVM engine, for the file that each is to be checked, all needs to allow all virus records mate it.AVE engine, when recording less, adopts a kind of smooth executive mode, as shown in Figure 2 B.The record quantity of the virus base of AVE engine is comparatively large, and use smooth executive mode by when affecting the killing efficiency of AVE engine greatly, AVE engine can be reconstructed virus base record, makes file to be checked only need to be partially recorded to check.Therefore need, for every bar record adds a kind of file characteristic again, as long as file to be checked meets this feature, then to need this record to check.The feature selected must be mutual exclusion each other, another external efficiency also needs can classify more fast.The compiler information of executable file can be selected as file characteristic, as shown in Figure 2 C.Before file to be checked enters engine, first by checking its compiler, being loaded into the set of records ends of corresponding compiler, then carrying out execution killing by AVE engine.
Execution technique in record: AVE engine by the execution of AVScript script, to file to be checked be whether virus document judge.Because AVScript script supports conditions branch performs, so the similar miniature virtual machine of the executive mode of AVE engine.
Such as, the assembly of AVE engine comprises: EIP: current method pointer; Zone bit: comprise zero-bit mark, symbol etc.; Result stack: preserve the result after every bar method performs; Context: comprise current method ID, a upper method ID, oneself performs step number, last position result, global position result, last value result, global value result, as shown in Figure 2 D.
AVE engine performs every bar method, if method performs failure, then terminates the killing of this record.If all methods all successful execution complete, then think file destination virus document.AVE engine exports Virus Info.AVE engine first can travel through the method for scan block, if confirmation file destination is virus document, AVE engine can perform the method for kill block, and the complete result of scan block can continue to use.
AVE engine provides a kind of mode of compiling, and AVScript script is compiled into a kind of binary intermediate file, and the killing of AVE engine only needs to read binary intermediate file.The virus base file of this binary intermediate file and AVE engine.AVScript script is used xml language and is scanned.Each method has unique GUID, can not produce conflict to ensure that the method when call method.
AVE engine definitions one group of debug events, when the execution of AVE engine is to certain state, will produce corresponding debug events.After debug events produces, the callback interface notice debugger by registering in callback mechanism just attempted by AVE engine.AVScript script debugger is to AVE engine registers callback interface, and when there being debug events to occur, AVE engine will call the interface that AVScript script debugger is registered.AVE engine callback mechanism can by the debug events type of AVE engine, and the context transfer that engine performs is to callback interface.Realize checking the implementation of AVE engine thus.
Carried out the killing of virus by AVE engine, owing to adopting AVScript script, be convenient to edit according to demand, there is very strong extendability and detect and the speed of virus killing fast.
As shown in Figure 3, the invention provides a kind of Viral diagnosis device of Android sample, 33, comprising: code analysis unit 331, instruction sequence acquiring unit 332, checking and killing virus unit 333.Code analysis unit 331 resolves the code information of dex file acquisition, and code information comprises: bag, class, method information.Instruction sequence acquiring unit 332 locates program body corresponding with code information in dex file, and obtains the opcode sequence corresponding with program body.Opcode sequence is mated with Virus Info by checking and killing virus unit 332, judges whether opcode sequence comprises virus.
According to one embodiment of present invention, the positional information of code analysis unit 331 acquisition methods name and program body corresponding with method name from the dex file header APK installation kit.Instruction sequence acquiring unit 332 navigates to this program body according to the positional information of program body, and carries out dis-assembling to the method instruction sequence in program body, obtains opcode sequence.
According to one embodiment of present invention, code analysis unit 331 is acquisition methods name from the method list dex file header, and enter corresponding with method name identifies, absolute offset value.Instruction sequence acquiring unit 332 according to the program body entering mark, absolute offset value navigates to the method, and drives dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtains opcode sequence.
Checking and killing virus unit 333 drives multiple antivirus engine to combine and carry out Viral diagnosis, opcode sequence is mated with the record in the virus base file of multiple antivirus engine, if the match is successful, judge that opcode sequence comprises virus, multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine etc.
According to one embodiment of present invention, code analysis unit 331 obtains class name from the class list of file names dex file header.Checking and killing virus unit 333 drives AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine by class name by Viral diagnosis script, if the match is successful, judges that this type of is virus.
According to one embodiment of present invention, when AVM engine judges that opcode sequence comprises virus, then checking and killing virus unit 333 carries out warning information and reports and carry out virus killing operation, after execution virus killing successful operation, is added to by Virus Info in virus base file.
The method for detecting virus of Android sample of the present invention and device, extract the information such as bag, class, method in dev file, carry out mating by Code obtaining opcode sequence and with virus characteristic and determine whether to infect virus, can enter to avoid viral under-enumeration phenomenon occurs, can improve and look into viricidal efficiency.
Method and system of the present invention may be realized in many ways.Such as, any combination by software, hardware, firmware or software, hardware, firmware realizes method and system of the present invention.Said sequence for the step of method is only to be described, and the step of method of the present invention is not limited to above specifically described order, unless specifically stated otherwise.In addition, in certain embodiments, can be also record program in the recording medium by the invention process, these programs comprise the machine readable instructions for realizing according to method of the present invention.Thus, the present invention also covers the recording medium stored for performing the program according to method of the present invention.
Claims (10)
1. a method for detecting virus for Android sample, wherein:
Resolve the code information of dex file acquisition; Described code information comprises: bag, class, method information;
Program body corresponding with described code information in the dex file of location, and obtain the opcode sequence corresponding with described program body;
Described opcode sequence is mated with Virus Info, judges whether described opcode sequence comprises virus.
2. the method for claim 1, is characterized in that:
The positional information of acquisition methods name and the program body corresponding with method name from the dex file header APK installation kit;
Navigate to this program body according to the positional information of described program body, and dis-assembling is carried out to the method instruction sequence in described program body, obtain described opcode sequence.
3. method as claimed in claim 2, is characterized in that:
From the method list dex file header acquisition methods name and enter corresponding with method name identify, absolute offset value;
According to the program body describedly entering mark, absolute offset value navigates to the method, and drive dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtain described opcode sequence.
4. method as claimed in claim 3, is characterized in that:
Drive multiple antivirus engine to combine and carry out Viral diagnosis;
Wherein, described opcode sequence is mated with the record in the virus base file of described multiple antivirus engine, if the match is successful, judge that described opcode sequence comprises virus;
Described multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine.
5. method as claimed in claim 4, is characterized in that:
From the class list of file names dex file header, obtain class name, and drive AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine or rule by described class name by Viral diagnosis script, if the match is successful, judge that this type of is virus;
When AVM engine judges that described opcode sequence comprises virus, then carry out warning information and report and carry out virus killing operation, after execution virus killing successful operation, Virus Info is added in virus base file, and killing result is synchronized in other antivirus engine;
Described antivirus engine comprises: service end and client;
Described service end is by carrying out Viral diagnosis by the record matching in described opcode sequence and virus base file;
Viral diagnosis result is issued to described client by described service end, and issues recovery scenario; Described recovery scenario comprises: file type, the checking and killing method corresponding with file type.
6. a Viral diagnosis device for Android sample, is characterized in that, comprising:
Code analysis unit, for resolving the code information of dex file acquisition; Described code information comprises: bag, class, method information;
Instruction sequence acquiring unit, for locating program body corresponding with code information in dex file, and obtains the opcode sequence corresponding with described program body;
Checking and killing virus unit, for described opcode sequence being mated with Virus Info, judges whether described opcode sequence comprises virus.
7. device as claimed in claim 6, is characterized in that:
Described code analysis unit, also for the positional information of acquisition methods name and the program body corresponding with method name from the dex file header in APK installation kit;
Described instruction sequence acquiring unit, also for navigating to this program body according to the positional information of described program body, and carrying out dis-assembling to the method instruction sequence in described program body, obtaining described opcode sequence.
8. device as claimed in claim 7, is characterized in that:
Described code analysis unit, also for acquisition methods name from the method list in dex file header, and enter corresponding with method name identifies, absolute offset value;
Described instruction sequence acquiring unit, also for the program body entering mark described in basis, absolute offset value navigates to the method, and drive dalvik virtual machine instructions dis-assembling engine to carry out dis-assembling to the instruction sequence of the program body of the method, obtain described opcode sequence.
9. device as claimed in claim 8, is characterized in that:
Described checking and killing virus unit, also carry out Viral diagnosis for driving multiple antivirus engine to combine, described opcode sequence is mated with the record in the virus base file of described multiple antivirus engine, if the match is successful, judges that described opcode sequence comprises virus; Described multiple antivirus engine comprises: AVE engine, AVM engine, cloud killing engine, machine learning engine.
10. device as claimed in claim 9, is characterized in that:
Described code analysis unit, also for obtaining class name from the class list of file names in dex file header;
Described checking and killing virus unit, also for driving AVM engine to be mated with the class name eigenwert in the virus base file of AVE engine by described class name by Viral diagnosis script, if the match is successful, judges that this type of is virus;
Described checking and killing virus unit, time also for judging that described opcode sequence comprises virus when AVM engine, then carries out warning information and reports and carry out virus killing operation, after execution virus killing successful operation, is added to by Virus Info in virus base file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410659234.7A CN104318161A (en) | 2014-11-18 | 2014-11-18 | Virus detection method and device for Android samples |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410659234.7A CN104318161A (en) | 2014-11-18 | 2014-11-18 | Virus detection method and device for Android samples |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104318161A true CN104318161A (en) | 2015-01-28 |
Family
ID=52373392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410659234.7A Pending CN104318161A (en) | 2014-11-18 | 2014-11-18 | Virus detection method and device for Android samples |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104318161A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104899510A (en) * | 2015-05-11 | 2015-09-09 | 国网甘肃省电力公司电力科学研究院 | Virus detecting and killing method for removable storage devices |
| CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
| CN106709350A (en) * | 2016-12-30 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Virus detection method and device |
| CN106855926A (en) * | 2015-12-08 | 2017-06-16 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
| CN106909839A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for extracting sample code feature |
| CN109492389A (en) * | 2018-10-31 | 2019-03-19 | 施勇 | A kind of behavior threat analysis method of machine learning Automatic behavior analysis |
| CN109792440A (en) * | 2016-08-10 | 2019-05-21 | 诺基亚通信公司 | Abnormality detection in software defined network |
| CN110826074A (en) * | 2019-11-06 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and device and computer readable storage medium |
| CN111368298A (en) * | 2020-02-27 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Virus file identification method, device, equipment and storage medium |
| CN111723372A (en) * | 2020-06-22 | 2020-09-29 | 深信服科技股份有限公司 | Virus checking and killing method and device and computer readable storage medium |
| CN112214765A (en) * | 2020-09-29 | 2021-01-12 | 珠海豹好玩科技有限公司 | Virus checking and killing method and device, electronic equipment and storage medium |
| CN112784270A (en) * | 2021-01-18 | 2021-05-11 | 仙境文化传媒(武汉)有限公司 | System and method for loading code file by annotation mode |
| CN113836531A (en) * | 2021-09-25 | 2021-12-24 | 上海蛮犀科技有限公司 | Detection method for dynamic restoration of mobile application code memory |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
| CN103268445A (en) * | 2012-12-27 | 2013-08-28 | 武汉安天信息技术有限责任公司 | Android malicious code detection method based on OpCode and system thereof |
| KR20140030989A (en) * | 2012-09-04 | 2014-03-12 | 주식회사 인프라웨어테크놀러지 | Method of obtaining signature of apk files for android operating system, and computer-readable recording medium with apk file signature computing program for the same |
-
2014
- 2014-11-18 CN CN201410659234.7A patent/CN104318161A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
| KR20140030989A (en) * | 2012-09-04 | 2014-03-12 | 주식회사 인프라웨어테크놀러지 | Method of obtaining signature of apk files for android operating system, and computer-readable recording medium with apk file signature computing program for the same |
| CN103268445A (en) * | 2012-12-27 | 2013-08-28 | 武汉安天信息技术有限责任公司 | Android malicious code detection method based on OpCode and system thereof |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
| CN104899510A (en) * | 2015-05-11 | 2015-09-09 | 国网甘肃省电力公司电力科学研究院 | Virus detecting and killing method for removable storage devices |
| CN106855926B (en) * | 2015-12-08 | 2019-08-20 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
| CN106855926A (en) * | 2015-12-08 | 2017-06-16 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
| CN106909839A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for extracting sample code feature |
| CN106909839B (en) * | 2015-12-22 | 2020-04-17 | 北京奇虎科技有限公司 | Method and device for extracting sample code features |
| CN109792440A (en) * | 2016-08-10 | 2019-05-21 | 诺基亚通信公司 | Abnormality detection in software defined network |
| CN106709350A (en) * | 2016-12-30 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Virus detection method and device |
| WO2018121464A1 (en) * | 2016-12-30 | 2018-07-05 | 腾讯科技(深圳)有限公司 | Method and device for detecting virus, and storage medium |
| CN109492389B (en) * | 2018-10-31 | 2020-08-21 | 上海境领信息科技有限公司 | Behavior threat analysis method for machine learning automated behavior analysis |
| CN109492389A (en) * | 2018-10-31 | 2019-03-19 | 施勇 | A kind of behavior threat analysis method of machine learning Automatic behavior analysis |
| CN110826074A (en) * | 2019-11-06 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and device and computer readable storage medium |
| CN111368298A (en) * | 2020-02-27 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Virus file identification method, device, equipment and storage medium |
| CN111723372A (en) * | 2020-06-22 | 2020-09-29 | 深信服科技股份有限公司 | Virus checking and killing method and device and computer readable storage medium |
| CN111723372B (en) * | 2020-06-22 | 2024-02-23 | 深信服科技股份有限公司 | Virus checking and killing method and device and computer readable storage medium |
| CN112214765A (en) * | 2020-09-29 | 2021-01-12 | 珠海豹好玩科技有限公司 | Virus checking and killing method and device, electronic equipment and storage medium |
| CN112784270A (en) * | 2021-01-18 | 2021-05-11 | 仙境文化传媒(武汉)有限公司 | System and method for loading code file by annotation mode |
| CN113836531A (en) * | 2021-09-25 | 2021-12-24 | 上海蛮犀科技有限公司 | Detection method for dynamic restoration of mobile application code memory |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104318161A (en) | Virus detection method and device for Android samples | |
| Williams-King et al. | Egalito: Layout-agnostic binary recompilation | |
| Wang et al. | Ramblr: Making Reassembly Great Again. | |
| Caballero et al. | Type inference on executables | |
| Roundy et al. | Binary-code obfuscations in prevalent packer tools | |
| US9619650B2 (en) | Method and device for identifying virus APK | |
| US9600668B2 (en) | Method and device for extracting characteristic code of APK virus | |
| CN104008340B (en) | Virus scanning and killing method and device | |
| Deng et al. | Bistro: Binary component extraction and embedding for software security applications | |
| CN102867144B (en) | A kind of for detecting the method and apparatus with dump virus | |
| US20220107827A1 (en) | Applying security mitigation measures for stack corruption exploitation in intermediate code files | |
| Tang et al. | Libdx: A cross-platform and accurate system to detect third-party libraries in binary code | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| Franzen et al. | Katana: Robust, automated, binary-only forensic analysis of linux memory snapshots | |
| Dresel et al. | Artist: the android runtime instrumentation toolkit | |
| Ruggia et al. | The dark side of native code on android | |
| Liao et al. | Mobilefindr: Function similarity identification for reversing mobile binaries | |
| Guo et al. | ilibscope: Reliable third-party library detection for ios mobile apps | |
| Cojocar et al. | Jtr: A binary solution for switch-case recovery | |
| Alrabaee et al. | Binary analysis overview | |
| Kwon et al. | Cpr: cross platform binary code reuse via platform independent trace program | |
| US11886589B2 (en) | Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method | |
| CN108255496A (en) | A kind of method, system and relevant apparatus for obtaining Android and applying primary layer identification code | |
| Duan | TOWARD SOLVING THE SECURITY RISKS OF OPENSOURCE SOFTWARE USE | |
| Deshpande et al. | StackBERT: machine learning assisted static stack frame size recovery on stripped and optimized binaries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150128 |
|
| RJ01 | Rejection of invention patent application after publication |